Monday, 23 November 2009

SSL, not so secure?

While talking to Ross from Super Mondays last week we wandered onto SSL and he was quite surprised when I mentioned that it isn't quite as secure as everyone thinks.
Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.
This would mean that the padlock icon in the corner of supposedly ‘safe’ websites and touted as optimal security by companies like security-with-verisign may not be as safe as people generally believe.
Marlinspike revealed his findings at the Black Hat Security conference in Washington DC, showing a number of ways where the “chain of trust” fell apart around SSL encryption.
He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.
Marlinspike also revealed a free software tool called “SSL Strip”, which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.
It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.
Tools like Ettercap have been used for a long time against SSL but "SSL Strip" seems to be taking things to a much more advanced and dangerous level.
It seems that evermore personal awareness is going to be needed when logging into what we think are secure sites.

No comments:

Post a Comment